DEBIAN-CVE-2026-31581
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | linux | 7.0.1-1, 5.14.6-2, 5.14.9-1 |
| Debian:13 | linux | 0, 6.12.74-2, 6.12.74-2 |
| Debian:12 | linux | 6.12.63-1, 6.10.6-1, 6.10.6-1 |
| Debian:14 | linux | 6.16-1~exp1, 6.16.1-1~exp1, 6.16.10-1 |
Exploit Intelligence
- 4694.0.0.yml (github-poc)
Timeline
- Apr 24, 2026 CVE Published
- May 1, 2026 CVE Updated